Data breaches are our own fault. A 2016 study by Phishme found that 91% of all cyber attacks start with a phishing email, and since then these schemes have only gotten more sophisticated in their methods. With recent cybersecurity initiatives in the UK and the US it seems that authorities are waking up to the risks. But the conversation around cybersecurity has to move away from seeing cybercriminals as opportunists if we are to properly address the ever-evolving threats facing us.

An August 2018 study (Kharlamov et al.) found that our perception of cybercrime and our behavior online can be categorized into four key ‘risk attitudes’ that vary depending on demographic and environment. Presented with 30 online activities, participants in both the US and the UK were asked to rate the risk level of each activity and how likely they were to perform these activities on a scale of 1-7. The study found a negative correlation (the higher the perceived risk, the less likely to engage) and revealed four attitude categories: opportunistic (worth the risk), anxious (not worth the risk), ignorant (don’t know, don’t engage) and relaxed (I’m not at risk). The dominant attitude in the US was ‘relaxed’, and in the UK we are mostly ‘anxious.’

I recently interviewed Profesor Ganna Pogrebna, one of the study’s co-authors and a fellow of the Alan Turing Institute, and she explained how an understanding of these disparate risk attitudes is crucial to address this global problem: in her words ‘we need to break the elephant to pieces in order to eat it.’ Cultural attitudes clearly factor into this disparity, but Pogrebna believes it is predominantly ‘communication around cybersecurity that we need to focus on,’ and pointed out that the way governments, the media, and business leaders think about cybersecurity has a massive influence on our own attitudes.

Communication breakdown

In contrast to the Kharlamov study, a similar study in China found that participants were more likely to engage in riskier activities. Pogrebna puts this down to ‘regulation and information overload’: Chinese people live in such a heavily regulated cyber environment that they become risk-taking because they know that in other countries people do not have the same restrictions as they do.

A similar problem arises when people have too much information about cybersecurity, which is observed in many businesses with aggressive cybersecurity policies for staff and customers: ‘The more you know about a problem, and know that regulation is in place, the less cautious you are online’, says Pogrebna. CEOs that constantly remind employees that they have the best online protection may actually lead them to be more reckless: in fact, cyber threats are designed to catch you unawares, and ‘anyone can make a mistake.’

The corporate environment might coddle us too much, but in the media the dominant theme around cybersecurity is that most data breaches are caused by one person’s stupidity. This ignores the processes that allow breaches to happen (such as insecure email servers) and diminishes the problem, as ‘we think we would never make that mistake ourselves.’ Scare tactics like this also remove the positive aspects of an attack - the fact that we caught it - and don’t provide any useful information around how to avoid them in future.

Fear-mongering is not useful once people are aware of the problem, and the message needs to change before people switch off altogether. ‘It is similar to the message around climate change,’ says Pogrebna, ‘in the UK we say “if you don’t recycle we all die”, whereas in Japan they say “be greener for your kids.”’ The conversation around cybersecurity needs to be refocused in the same way, to ‘celebrate the positives of reducing cyberattacks and [to] punish the process, not the individual.’

The illusion of control

The reason we accept all this fearmongering and misinformation is because of the illusion of control, which in this context equates to a willful ignorance of cybersecurity risks to maintain the illusion that we are safe online. Pogrebna illustrates this using the recent GDPR regulation, pointing out that although European citizens now have the right to erase their online footprint ‘nobody is exercising this right.’ This is not only because doing so requires people to engage with cybersecurity which is usually considered to be a “dry” and technical topic, but also because doing so would be to admit that their data is at risk of manipulation and attack.

‘We simply don’t want to know the risk if we can avoid it instead’ says Pogrebna, and we are all avoiding the problem in our own way: in the US, cybersecurity is seen as an issue of personal ethics, whereas in the UK it is seen as a public safety issue that should be handled by a wider authority. We need to reconcile these different attitudes if we are to improve cybersecurity as a whole, and realize that educating ourselves around how to tackle cybercrime is both a personal and a communal problem.

Learning our lesson

The most frustrating aspect of cybercrime is how much more advanced cybercriminals are than us. ‘Cybercriminals are very good at educating themselves, and we are still not teaching people how to spot attacks’ says Pogrebna, highlighting our failure to fully understand the risks both in mindset and in practice. ‘The current approach is to build a bigger wall’ to try to keep attackers out, but this is based on a simplistic, outdated view of cybersecurity and wrongly assumes that attackers have been resting on their laurels. As Pogrebna puts it: ‘all this does is attract a better criminal to go around the wall.’

What we need to do is ‘think of the worst case scenario and work backwards,’ to anticipate threats before they happen, and ‘act with security vulnerabilities in mind.’ Blaming an individual for a breach or treating hackers as if they are from 1995 implies that cybercrime is easy to avoid - whereas in fact ‘smart criminals will get you no matter your current level of protection.’ Working through all possible outcomes will help us immeasurably to anticipate new threats and address the root cause of the problem, to build a solid defense strategy instead of piling on more of the same protection.

Proactive mental attitude

It is a sobering thought that not only do we willfully ignore cyber threats, but we also downplay the ability of cybercriminals to access our information. The media portrayal of data breaches is also an important factor as our attitudes are constructed entirely from the information available to us. Reframing the conversation to focus on vulnerabilities in the way we do things, rather than just the mistakes of an individual, will go a long way towards changing people’s perception of online threats.

Ultimately, the only way to address the threats we face is to change our attitudes to cybersecurity, to stop being so ‘anxious’ or ‘relaxed’, educate ourselves about the risks and ‘treat obstacles as an opportunity to learn.’ Cybercriminals might be getting better all the time, but if we become proactive in our approach instead of reactive, they will always find themselves back at the drawing board.

Charles Towers-Clark is Group CEO of Pod Group, an IoT connectivity & billing software provider. His book ‘The WEIRD CEO’ covers AI & the future of work. Follow him @ctowersclark